Good read and it's true too. With all these useful reconnaissance tools out today like Maltego, all attackers have to do now days is do some information gathering then own your e-mail accounts. This definitely sounds like the way I'd go depending on the computer literacy of the user I'd be attacking. Of course there's always other ways of getting passwords like phishing, but if a user knows their shit on creating passwords this is the thing to do. Personally besides Maltego, I've found target MySpace Accounts that hold juicy personal information about the target and if people were to get there hands on it could be useful for going the 'Forgot My Password' route. Of course when going this way, Social Engineering will be useful too.

I don't think we'll be able to get away from it anytime soon, but there are some things that can be done to make it safer.

On some of the sites I use, the site sends an email with a unique URL to the address that I registered with. After clicking the link, I still have to enter some personal information. This isn't perfect--someone could have already compromised my email--but it's better than letting me reset the password entirely in-band.

Sites also need to log IP addresses when a reset is requested and monitor post-reset activity. If your banking password is reset, the bank should not allow your account to transfer all of your money to another account or allow a transaction that is 10x normal without actually calling you to make sure everything is okay.

One thing I do to protect myself is to use information that is not true, but that I can remember. You can't get the answers to my questions by going to my MySpace page.

I see what you mean with the bank and using information when registering that is false but can be remembered by you, and highly agree. I'm just saying in the past, I've been able to retrieve the birthday, zip code, and the answer to peoples secret question, but then again they weren't exactly into security and even stated the high schools they attended, etc.

Your post just goes to show where the weakest link still is. Even with the recon tools and social engineering, compromising an account wouldn't be possible without the user.

Unicityd,

I do the same things with my secret questions. As for the banks doing what you suggest, do you trust them? I'm sure that they are reasonable secure, but how far do you really trust them? The way current law is around here, is that they must take reasonable precautions. As a security guy, I push for as tight a control as possible while that is not always financially feasible.

This is one of the oldest "hacks" around for personal email. I have used it myself on occasions when I was asked to test the security of personal emails. I usually recommend false data to be used for your password reset.

Last edited by Kev on Fri Sep 05, 2008 1:37 pm, edited 1 time in total.

Not directly related to password resets, but is still in the realm of how organisations (banks in this case) use insecure information to validate indentity.

I called bank X to discuss my account, first I had to enter account number via touch tone phone (don't know how secure this is, my guess is I don't want to know either...), then I had to enter my 'security PIN' which is automatically set to date of birth in 6 figures (no way of changing). When I finally got through to a human I was asked two 'random security questions': How old I'll be at my next birthday (see PIN), and what day of the week my last birthday was (again, see PIN). I could only answer the last one because I called 2 weeks after my birthday.

Whilst I think all this is poor I'm stuck in the same boat as sgt_mjc, I can't think of a better way.

I tried resetting password of some random people that I found on google. And I have about 25% success rate(although I didn't actually reset their passwords, I just went upto the password reset page after answering the secret question and closed it).

Scary, isn't it?

There is no rule, law or tradition that apply universally... including this one.

I think that mutli-factor authentication is going to eventually be the key to this. It will end up being a pain, but until we come up with something better than passwords, it will probably be better than what we have. I know that paypal and some of the others already have one-time-password generator fobs which you can use along with your username and pin in order to login. That still doesnt' solve the forgot my pin problem, but even if they can reset your pin, they still have to social engineer you into providing your otp. I figure eventually you'll lick the screen and it will test your DNA to let you in or something but I think I'd still rather use the OTP generator than log-in in the library when that happens.

apollo wrote:I think that mutli-factor authentication is going to eventually be the key to this. It will end up being a pain, but until we come up with something better than passwords, it will probably be better than what we have. I know that paypal and some of the others already have one-time-password generator fobs which you can use along with your username and pin in order to login. That still doesnt' solve the forgot my pin problem...

I agree that some sort of multifactor is the fix, at least for the short term.

the problem is how do you pay for all those keyfobs, business have money to do that or have a vested interest is protecting its customers from harm especially when that harm usually means losing business so they may give them to their users.

free email services make money from advertising, i doubt yahoo will be handing out keyfobs and i doubt the majority of yahoo's free email service users will be shelling out the money for them either. so what are we to do?

I know that I'm no fan of paying for a service like email. I get an account with my ISP, but I'm not expecting a keyfob anytime soon. As for my yahoo account, I use it for all of the stuff I want to have around for a while. That is the one thing I don't like about my ISP account, if I change service, I loose it.

As far as free email accounts are concerned, If you follow good password rules along with false password reset information you will be fine in most cases. Your main concern then will be keyloggers. Never check your email from a public computer, say for instance like one in a hotel lobby Someone I know just did and there was a keylogger installed that captured his email password which in turn allowed whoever it was to transfer a large amount of money from his Etrade account. Your second concern would be checking your email from a free wifi hotspots where you might encounter fake login pages or session captures. Session captures with tools like ferret, etc...work ok in lab situations but are tricky to do in the real world, at least in my experience and are still rare so I am not as worried about those at this time. However I am sure in time it will improve and become more popular. I guess if we really want to get paranoid, we can worry about sniffers being placed at the ISP , which is not a bad reason to to encrypt actually.

I am sure everyone has read this about Sarah Palin on the Errata security site:The "hacker" saw the e-mail address "gov.sarah@yahoo.com" appear in a Washington Post story about the Governor. He tried the password recovery tool and found the question. He googled for information about the answer. After a few tries like "high school" he finally got the right one, "Wasilla high".

If you feel inclined to use a free email service, use Gmail. For instance while Yahoo will give up your secret question to anybody who asks for it, Gmail will only give out your secret question after 5 days of inactivity on the account. Not a huge security advantage but still little things can add up to frustrate some attackers.

Last edited by Kev on Sat Sep 20, 2008 11:12 am, edited 1 time in total.

One thing that I discovered by mistake was that after I read about the Palin hack, I tried to see how easy it was to hack my yahoo account. I got halfway through but couldn't remember my secret question, and realized it was a custom question that I made years ago, so I sent a request to Yahoo to reset it and change the new question.

Anyway, I got an email back from Yahoo stating I need to follow a link to setup a new question. Well, I never followed through with it, but I still have the link. So, I went back to reset my password (without following the link first) and interesting to note it gave me an error stating: Sorry, your password can't be reset online

So if a hacker were to try to reset my account they would be greeted with this dead end. I am planning on changing the question sometime in the future but for now it's actually pretty safe because the reset option is sorta in limbo so to speak.